OS X Vulnerability Can Allow Superuser Access to Unauthorized Users

Discussion in 'MacRumors.com News Discussion' started by MacRumors, Aug 28, 2013.

  1. macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    [​IMG]
    Users looking to exploit a vulnerability in the Sudo Unix command, originally reported back in March, have received some assistance, reports Ars Technica.

    The developers of Metasploit, software that makes it easier to misuse vulnerabilities in operating systems and applications, have added the Sudo vulnerability to their software suite. All versions of OS X from OS X Lion 10.7 through the current Mountain Lion 10.8.4 remain vulnerable.
    Most of the recent exploits in Mac OS X have been related to Java, which Apple completely blocked earlier this year over security vulnerabilities, though Apple did release a standalone malware removal tool to help clean machines that were affected by a number of Java vulnerabilities.

    OS X has been targeted more in recent years as it has gained in popularity. The Janicab.A malware was discovered last month, while another program called macs.app was discovered in May. That app captured and stored screenshots.

    Article Link: OS X Vulnerability Can Allow Superuser Access to Unauthorized Users
     
  2. macrumors regular

    Joined:
    Jun 13, 2013
    #2
    Interesting. Lets hope they patch this soon.
     
  3. macrumors member

    Joined:
    Feb 23, 2011
    #3
    "For one, the end-user who is logged in must already have administrator privileges. And for another, the user must have successfully run sudo at least once in the past."

    I'm not too sure why a user who already has admin access would bother using an exploit to gain admin privilege - an access level he already has.
     
  4. macrumors 65816

    Dalton63841

    Joined:
    Nov 27, 2010
    Location:
    SEMO, USA
    #4
    What it is saying is that if an attacker already has access to your machine, AND you are on an administrator account, AND you have opened Terminal and used sudo, THEN they could maybe gain root access to your account.
     
  5. macrumors member

    Joined:
    Sep 7, 2006
    #5
    I was confused about this too. The summary doesn't go into much detail, and the title can be misread/is confusing. Does it mean that unauthorized users can somehow gain root? Is it an exploit that is possible when one logged-in user has root access and another logged-in remote or physical user has some level of shell access (e.g. via guest account or via low-privileged user account)?
     
  6. macrumors 601

    Joined:
    Jun 19, 2007
    Location:
    Plymouth, MN
    #6
    Admin and root are two different levels of access. You can do some things with root that you cannot do with admin. Root is the deepest access one can have - but it's not really the goal of most hackers. An administrator account is probably the most that an attacker really needs since they can pretty much do anything they need with that account.

    So an exploit that needs admin rights access and one that rehires you to have used sudo isn't one that is high priority. The number of users that run sudo at all is really small, and from a security standpoint, if you have admin rights, all security goes out the window. In other words, you don't have security.
     
  7. macrumors 68000

    sjinsjca

    Joined:
    Oct 30, 2008
    #7
    Admin != root
     
  8. macrumors 6502

    Joined:
    Sep 18, 2011
    Location:
    Las Vegas, NV
    #8
    I know a lot of mac users, and only one other person I know of has ever used sudo. We are both sysadmins/programmers. It also seems like if the attacker already has shell access to your machine, then either they already have an account on the machine (probably someone the machine owner knows) or they already used another exploit to get to this point. I don't see this as a major concern, but obviously it should be fixed.

    ----------

    Thats a lot of if/ands... =)
     
  9. macrumors 601

    goobot

    Joined:
    Jun 26, 2009
    Location:
    long island NY
    #9
    Lots of people have their mac set up to login to their account automatically on boot. Also if you steal someones computer when it is in sleep mode and still logged in there you go.
     
  10. macrumors newbie

    Joined:
    Jun 29, 2007
    #10
    Hrm. So, I had a machine once where I was an administrator, but not in the sudoers file. Fine - so I unlocked it and added myself via BBEdit. However, permissions were incorrect after updating the file, so sudo was "broken" on the machine. As an experiment, I used Disk Utility's repair permissions tool - and sure enough it fixed the sudoers file permissions, and I then had sudo access.

    I know what I describe above is probably expected behavior, it made me rethink how secure I thought OS X was.
     
  11. macrumors 65816

    Dalton63841

    Joined:
    Nov 27, 2010
    Location:
    SEMO, USA
    #11
    Exactly. It's effectively a NON-issue, especially considering that the garden variety Mac user has never even opened Terminal. That having been said it still needs to be fixed. Who knows what fancy method they might find to exploit it if they don't fix it.
     
  12. macrumors 6502a

    Joined:
    Mar 3, 2008
    #12
    Since this is a "flaw" (to the extent it has been described) in sudo, it's not Mac-specific. Other flavors of UNIX are also affected. But it's more fun and gets more hits and attention when you call it an "OS X Vulnerability", as if it's Apple's mistake or fault and not due to an issue (if that's what it is) in one of several hundred non-Apple projects.
     
  13. macrumors regular

    Joined:
    Jun 19, 2012
    Location:
    California
    #13
    You don't need to run metasploit to exploit this bug.

    The following command should give you root if you are logged in to OS X as an Administrator and have used the "sudo" command at least once in the past. It will also set your system clock to 01/01/1970.

    Code:
    sudo -k
    systemsetup -setusingnetworktime Off -settimezone GMT -setdate 01:01:1970 -settime 00:00
    sudo su
    To set your system clock back to normal, go into the System Preferences and set the time and time zone back to the way it was.

    To prevent somebody from abusing this attack, you will need to run the following command after every time you use the sudo command, until it gets patched.
    Code:
    sudo -K
     
  14. macrumors 65816

    Dalton63841

    Joined:
    Nov 27, 2010
    Location:
    SEMO, USA
    #14
    From the original article:

     
  15. manu chao, Aug 28, 2013
    Last edited: Aug 28, 2013

    macrumors 68030

    Joined:
    Jul 30, 2003
    #15
    It's a OS X vulnerability if other Unix versions have long patched it in their current releases. The patch is there already, a Unix OS vendor just has to incorporate it.
     
  16. RabidMacFan, Aug 28, 2013
    Last edited: Aug 28, 2013

    macrumors regular

    Joined:
    Jun 19, 2012
    Location:
    California
    #16
    It's an OS X vulnerability because sudo is built into OS X. The copy of sudo that is installed is outdated (1.7.4p6) and has known vulnerabilities. The latest version of the release branch is 1.7.10p7, released on February 27, 2013.

    OS X inherits any vulnerabilities within the software that it ships with, just like Windows or Linux would inherit any vulnerabilities in software they they ship with. It may not be Mac-specific, but it definitely is an OS X vulnerability
     
  17. macrumors newbie

    Joined:
    Jul 30, 2012
    Location:
    Tokyo, Japan
    #17
    Interesting.

    Just so it's clear, sudo ("superuser do") creates a timestamp file so you can continue running commands with superuser privileges. With sudo -k, you can reset the timestamp file to point to the beginning of Unix time (1/1/1970). If you can reset the system clock as well, then you can therefore run commands with sudo as though you had just run it. In OSX you can reset the system clock with systemsetup, which apparently (I can't check right now) does not require administrator perms unlike most Linux distributions, hence it being an OSX vulnerability.

    You need access to the computer in the first place, which probably limits the effectiveness of the exploit, but it's still a pretty ugly one with what I'd think is an obvious fix (test newer versions of sudo and update users or require higher permissions to change the system clock).
     
  18. macrumors 68030

    Joined:
    Jul 30, 2003
    #18
    It's very simple, when somebody manages to run code in your account (eg, you clicked on a downloaded file which was actually an application and you ignored the warning or an application you downloaded had a payload) they don't have access yet to settings like the firewall or deleting accounts or install and run some very low level stuff. They still need an admin password, well thanks to this exploit they don't need it anymore.

    But I wonder if the malicious code could not simply install a keylogger to eventually get your password? Or do you need an admin password to install a keylogger.
     
  19. macrumors 601

    Joined:
    Jun 19, 2007
    Location:
    Plymouth, MN
    #19
    If someone can get physical access to your hardware you can kiss any security in mind unless your drive is encrypted (which will require a password anyhow).

    I still fail to see how this is worse.

    If someone has admin access, and you loose your laptop or it's stolen - your screwed even before this path could be exploited.
     
  20. brymck, Aug 28, 2013
    Last edited: Aug 28, 2013

    macrumors newbie

    Joined:
    Jul 30, 2012
    Location:
    Tokyo, Japan
    #20
    I think you know this already, but just so it's clear, it's actually more Mac-specific than that, because many Linux distributions require sudo in the first place to change the system clock. OS X doesn't. So while Linux distros have updated sudo, they haven't needed to with the same urgency. OS X, meanwhile, needs an update but hasn't had one. The vulnerability is really a combination of sudo and OS X's permission structure for system clock changes.

    As the Ars Technica article notes:

     
  21. macrumors G3

    charlituna

    Joined:
    Jun 11, 2008
    Location:
    Los Angeles, CA
    #21
    So the 'patch' is to be mindful of who has access to your computer
     
  22. macrumors 68000

    Joined:
    May 25, 2009
    #22
    Sudo make me a sandwich.
     
  23. macrumors 65816

    Four oF NINE

    Joined:
    Sep 28, 2011
    Location:
    Soviet Union
    #23
    I'm not sure I even understand this particular vulnerability. Is this something that can be executed remotely or does someone require physical access to the machine?

    Are there any user steps that can preempt this particular vulnerability?
     
  24. macrumors 6502a

    Joined:
    Oct 4, 2008
    #24
    make: *** No rule to make target `me'. Stop.

    -SC
     
  25. V.K., Aug 28, 2013
    Last edited: Aug 28, 2013

    macrumors 6502

    V.K.

    Joined:
    Dec 5, 2007
    Location:
    Toronto, Canada
    #25
    EDIT: mea culpa, I was wrong. this is a real vulnerability that needs to be fixed.
     

Share This Page